[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write
|
From: |
Pavel Raiskup |
|
Subject: |
Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write |
|
Date: |
Mon, 13 Feb 2017 11:01:16 +0100 |
|
User-agent: |
KMail/5.3.3 (Linux/4.9.8-201.fc25.x86_64; KDE/5.29.0; x86_64; ; ) |
Just trying to ping with re-based patch.
Even though this is probably not very serious security issue, it might
lead to crash .. and I'm pushed to fix this downstream (Debian and other distros
already applied this patch and our clients are also requesting this).
I was thinking what to do better WRT original issue, but doing anything
more systematic in CPIO/PAXUTILS, the change would be probably much
larger. OTOH, I'm fine to have a look if this is considered too bad fix.
Thanks for having a look!
Pavel
On Tuesday, January 26, 2016 11:17:54 PM CET Pavel Raiskup wrote:
> Other calls to cpio_safer_name_suffix seem to be safe.
>
> * src/copyin.c (process_copy_in): Make sure that file_hdr.c_name
> has at least two bytes allocated.
> * src/util.c (cpio_safer_name_suffix): Document that use of this
> function requires to be careful.
> ---
> src/copyin.c | 2 ++
> src/util.c | 5 ++++-
> 2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/src/copyin.c b/src/copyin.c
> index cde911e..032d35f 100644
> --- a/src/copyin.c
> +++ b/src/copyin.c
> @@ -1385,6 +1385,8 @@ process_copy_in ()
> break;
> }
>
> + if (file_hdr.c_namesize <= 1)
> + file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
> cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
> false);
>
> diff --git a/src/util.c b/src/util.c
> index 6ff6032..2763ac1 100644
> --- a/src/util.c
> +++ b/src/util.c
> @@ -1411,7 +1411,10 @@ set_file_times (int fd,
> }
>
> /* Do we have to ignore absolute paths, and if so, does the filename
> - have an absolute path? */
> + have an absolute path?
> + Before calling this function make sure that the allocated NAME buffer has
> + capacity at least 2 bytes to allow us to store the "." string inside. */
> +
> void
> cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
> bool strip_leading_dots)
>
0001-fix-1-byte-out-of-bounds-write.patch
Description: Text Data
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write,
Pavel Raiskup <=